Anatomy of an attack: detecting and defeating CRASHOVERRIDE

Thursday 4 October 15:00 - 15:30, Green room

Joe Slowik (Dragos)

CRASHOVERRIDE was the first electric-grid-specific targeted malware attack observed in the wild, and only the third (as of its discovery) known destructive ICS malware attack. Since then, multiple discussions have taken place with respect to 'how' this malware (also known as Industroyer) functions, but essentially none have focused on how the entire attack unfolded and may have been detected - or even defeated.

This paper and presentation, leveraging new and previously unavailable information from the attack, will demonstrate that there were multiple stages at which the unfolding CRASHOVERRIDE attack could be detected - from initial access through ultimate ICS attack payload delivery - to emphasize even advanced attacker dependency on 'common' exploitation techniques. By examining the attack - essentially providing a dissection - defenders both within and outside of ICS environments can learn how to identify and mitigate even the most dedicated and advanced network attacks by focusing on adversary necessities and dependencies.

Joe Slowik

Joe Slowik currently hunts ICS adversaries for Dragos, pursuing threat activity groups through their malware, their communications, and any other observables available. Prior to his time at Dragos, Joe ran the incident response team at Los Alamos National Laboratory, and served as an Information Warfare Officer in the US Navy. Throughout his career in network defence, Joe has consistently worked to 'take the fight to the adversary' by applying forward-looking, active defence measures to constantly keep threat actors off balance.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.